FirstBlood-#1547Private office locations disclosed on /api/locations.php
This issue was discovered on FirstBlood v3

On 2022-12-11, 0xblackbird Level 5 reported:



I found out that the /api/locations.php discloses private location data. This should not be possible for unprivileged users.

Possible cause:

The developers may have thought that it was no big deal to have this endpoint exposed to the public as long is it wasn't referenced anywhere.


I was able to reveal the private location of the office in Chicago for example. This shouldn't be possible as it is not disclosed on the home page.

Steps to reproduce:

1) After visiting /api/locations.php?location=chicago for example, we can find the full location in the response


I recommend removing access to this endpoint for unprivileged users

Have a nice day!

Kind regards,


P2 High

Endpoint: /api/locations.php

Parameter: location

Payload: chicago

FirstBlood ID: 62
Vulnerability Type: Access_control

The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3